tl;dr - Cloudflare rendered my domain inaccessible and support has been ignoring the ticket for 4 days, what's the fastest way to get technical assistance when on a free plan?<p>Last week I transferred a domain used for a personal project from my old registrar to Cloudflare. After the transfer was finalized and new NS records had propagated, everything resolved normally and everything was working fine. I then enabled DNSSEC, and after a while the domain would no longer resolve. Every DNS server I try - Google, Quad9, OpenDNS, even Cloudflare's own DNS on 1.1.1.1 - returns SERVFAIL. The excellent diagnostic tool on dnsviz.net tells me that the domain is returning bogus DNSKEY/DS/NSEC responses and bogus delegation status. "no SEP matching the DS found".<p>I tried canceling the DNSSEC setup and waiting for over a day, with no effect. I re-enabled DNSSEC setup and waited for 3 days, with no effect. Cloudflare's control panel has since several days now been saying that DNSSEC will be enabled "in the next 24 hours". My site cannot be reached, and Cloudflare's support cannot be reached.<p>I've been forced to migrate the project and its (few) users to a completely different domain. I cannot inconvenience users by bouncing them back and forth, so the domain Cloudflare ruined for me is now effectively lost, as is the "branding" of the project which was reflected in the domain's name.<p>How can I get their attention without paying for an Enterprise plan? I would like to think that basic functional service should be accessible even when using Cloudflare only as a registrar with fundamental DNS on a free plan.
(It sucks that I had to see this on HN)<p>Can you email me - silverlock at cloudflare - with your ticket ID and domain name so I can understand what broke?
Update for those who were curious:<p>Roughly one hour after I e-mailed @elithrar who kindly reached out and offered to expediate the issue, the broken DNSSEC records were partly fixed. The domain once again resolved through all major DNSes, and public access was restored. At that point dnsviz.net told me that A, MX, etc. records were "insecure", though name resolution worked fine. A few minutes ago I took another look with dnsviz and it's now telling me that all records are secure. Everything looks normal again.<p>Thanks a bunch for helping out, @elithrar. I really appreciate that you were proactive.<p>If the problem had somehow fixed itself or if the support ticket had gotten <i>any</i> attention or feedback at all within a day or two instead of just being "snoozed" by support staff, I wouldn't have made any noise about it. After four days of complete silence a bit of "cry-baby consumer activism" seemed like the only resort.<p>If CF reconnects to me with an update on why the domain dead-locked and why it took 4 days to untilt everything I'll add that info as well.<p>I've been OP and this has been an update about my domain woes.
(CF TAM here)<p>All plans come with support. Even the free plans (community, or email, the bot will deflect the request but if you email you're still stuck, you will get a reply _eventually_ (due to heavy support load, it can take a while though).<p>The correct procedure would be:<p>* turn off DNSsec on old registrar (and wait a day or two)<p>* update NS and/or migrate domain<p>* wait a while and make sure it works<p>* turn on DNSsec in CF dash and update DNSsec settings in the domain<p>It's not that DNSsec doesn't work -- it's doing exactly what it's supposed to be doing.
DNSSEC is notorious for breaking things [1]. I use it on most of my domains, but I would not just 'enable' it on a domain that I cared about and that had real users without a lot of thought and planning. Nor should you.<p>[1] - <a href="https://ianix.com/pub/dnssec-outages.html" rel="nofollow">https://ianix.com/pub/dnssec-outages.html</a>
> <i>what's the fastest way to get technical assistance when on a free plan?</i><p>Upgrading to a non-free plan?<p>You don't have to upgrade to enterprise, but even their $20/mo plan comes with support.<p>(Also, I hate to victim-blame here but using DNSSEC was a bad idea in the first place)
Reading this hurts. I see that @elithrar has given out his email address and is following up but I will also be following this internally to understand what happened.
English language usage note: "since" takes a past point in time, not a duration. You want either "unreachable for 4 days", or "unreachable since 4 days ago".
I had the same problem.<p>I registered a domain at Google Domains.<p>Then I configured the domain at CloudFlare.<p>At first it worked OK then I started getting SERVFAIL.<p>I found the problem was there was still DNSSEC configuration set up at Google Domains. I deleted that and everything worked OK.<p>Cloudflare was not at fault in my case.
Enterprise plans no longer come with "premium" support either, you are looking at 20% over contract value to get a similar level of previously included support and an SLA. To be fair, CloudFlare provides a lot of services for free and $20 premium plan with upgraded support seems like a pretty good deal!
I had a problem with a similar effect some time ago but I run my own DNS (no Cloudflare). I accidentally clicked a button in my control panel to regenerate the zone keys, which means the published keys mismatched the new zone signature for a couple of days until I was able to get the registrar to update them and everything propagated (even when a registrar supports the .eu TLD they are usually severely lacking in automation). The control panel devs have since added a confirmation dialog!
Sorry to hear about your problem, a quick recommendation would be to keep the temporary DNS name you bought and simply redirect to your previous name once you have the issue resolved (or vice versa if the branding is less important to you.) This way your users won't need to know or care about the change anymore aside from this temporary setback.
>I've been forced to migrate the project and its (few) users to a completely different domain. I cannot inconvenience users by bouncing them back and forth, so the domain Cloudflare ruined for me is now effectively lost, as is the "branding" of the project which was reflected in the domain's name.<p>If this was that important then you should not have used the free plan.
I'm also noticing that Cloudflare support is going terribly downhill.<p>I have an issue with the Cloudflare infrastructure on my domain since WEEKS, giving me thousands of 503 Service Temporarily Unavailable errors per day (cloudflare side, not the origin server) and nobody seems to care or able to resolve.<p>Removing the ability to create support tickets on free plan doesn't help at all, I mean, I get it why they're doing it, but asking on their community forum as an alternative it's not an acceptable solution. Neither going after Cloudflare employees on social media platforms hoping for a reply.<p>If I'm also going to pay for their services such as Zero Trust, domains registrar and R2, why do I have to switch to a Pro plan just to open a support ticket? Perhaps a middle-ground solution like 1 free support ticket per month on a free plan would be a good compromise?<p>I still think they're giving an incredible service and value for free, but this sucks.
First problem - trusting Cloudflare :|<p>I've had nothing but problems with them personally<p>I know some people swear <i>by</i> them ... I'm in the "swear <i>at</i> them" camp